Summary and recommendation
Datadog supports native SCIM 2.0 provisioning, but only for Infrastructure Pro ($15-$18/host/month) or Enterprise ($23-$27/host/month) plans. Teams on the free tier or basic plans can't access automated provisioning at all. Additionally, Datadog's SCIM has a critical limitation: team provisioning via Microsoft Entra is completely broken due to a Microsoft security freeze that has blocked third-party app updates since late 2024.
This creates a significant gap for DevOps teams using Entra as their identity provider. While you can provision users automatically, team assignments—which control access to specific dashboards, alerts, and monitoring data—must be managed manually. For fast-growing engineering teams who need immediate access to production monitoring, this defeats the purpose of automation and creates security risks when engineers don't get proper access controls.
The pricing barrier compounds the problem. Moving from Datadog's free tier to Pro just for SCIM access can cost $15-$18 per monitored host per month. For a team monitoring 50 hosts, that's $9,000-$10,800/year in additional licensing costs primarily to unlock provisioning features.
The strategic alternative
Datadog gates SCIM behind Infrastructure Pro or Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Datadog accounts manually. Here's what that costs:
The Datadog pricing problem
Datadog gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Host-based pricing, annual billing)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free | $0 (5 hosts max) | ||
| Infrastructure Pro | $15/host/month | ||
| Infrastructure Enterprise | $23/host/month |
Note: SCIM supports both user and team provisioning. Additional products like APM ($31-40/host/month), DevSecOps Pro ($22/host/month), and Log Management ($0.10/GB) stack on top of base infrastructure pricing.
What this means in practice
Using current list prices (Free → Infrastructure Pro for SCIM access):
| Infrastructure Size | Annual Cost for Pro Tier |
|---|---|
| 25 hosts | $4,500/year |
| 50 hosts | $9,000/year |
| 100 hosts | $18,000/year |
| 200 hosts | $36,000/year |
Calculation: $15 × hosts × 12 months (before any additional product costs)
Additional constraints
Summary of challenges
- Datadog supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Datadog doesn't sell SCIM separately. It's bundled into Infrastructure Pro or Enterprise plans starting at $15-23/host/month:
The challenge: you're paying for infrastructure monitoring capacity (per host) when you might only need identity management. A 100-person engineering team could easily hit $1,500-2,300/month just for user provisioning access, plus the actual monitoring costs.
Stitchflow Insight
We estimate ~60% of Infrastructure Pro/Enterprise features are monitoring-specific and irrelevant for teams that only need automated user provisioning. You're essentially buying observability platform access to get basic identity automation.
What IT admins are saying
Community sentiment on Datadog's SCIM implementation reveals significant frustration with platform-specific limitations and pricing barriers. Common complaints:
- Being locked out of SCIM unless on Infrastructure Pro or Enterprise plans
- Team provisioning completely broken on Microsoft Entra due to security freezes
- Having to disable SAML JIT provisioning to avoid conflicts with SCIM
- Enterprise-level complexity for basic identity management needs
Team provisioning via Entra SCIM is unavailable due to Microsoft freeze - we're stuck managing teams manually or using workarounds like Terraform.
You have to disable JIT when using SCIM to avoid discrepancies. So much for seamless integration.
The recurring theme
Datadog's SCIM feels like an afterthought with platform-specific breakdowns and configuration conflicts that force admins into manual workarounds for basic provisioning tasks.
The decision
| Your Situation | Recommendation |
|---|---|
| On Infrastructure Standard, need SCIM | Use Stitchflow: avoid the $15-23/host/month Pro/Enterprise upgrade |
| On Infrastructure Pro/Enterprise already | Use native SCIM: you're paying for it and it works well |
| Using Entra ID, need team provisioning | Use Stitchflow: Entra team sync is broken due to Microsoft freeze |
| Fast-growing DevOps team, need rapid onboarding | Use Stitchflow: ensures engineers get monitoring access immediately |
| Small, stable engineering team | Manual may work: but observability data sensitivity makes SCIM worthwhile |
The bottom line
Datadog gates SCIM behind Infrastructure Pro or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Datadog workflow gap
Datadog gates SCIM behind Infrastructure Pro or Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM only in Infrastructure Pro or Enterprise plans
- Strongly recommend disabling SAML JIT when using SCIM
- Team provisioning via Entra SCIM unavailable due to Microsoft freeze (late 2024 security incident)
- Service account application key recommended for SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM 2.0 for user and team (Managed Teams) provisioning. Recommend service account application key. Team sync via push groups with exact name matching. Aquera connector also available.
Datadog gates SCIM behind Infrastructure Pro or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
SCIM 2.0 for user provisioning. Team provisioning unavailable due to Microsoft freeze on third-party app updates (late 2024 security incident). Use SAML mapping or Terraform for teams.
Datadog gates SCIM behind Infrastructure Pro or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Datadog
Datadog gates SCIM behind Infrastructure Pro or Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
